Professor Greg Austin, Deputy Director of UNSW Canberra Cyber, has warned that Australia and allied states are at risk of experiencing a cyber ‘blitzkrieg’ against civil defences in conflict with a near-peer competitor.
Professor Austin’s warning is made in a paper due to be presented at the First International Research Conference on the Cyber Storm in Canberra next week, an event attended by a range of global experts and Major General Marcus Thompson, the ADF’s Head of Information Warfare.
Crucially, the paper argues that the risk management strategies used by businesses in peace are “irrelevant” in war. The wartime threat posed by adversary cyber capabilities will be multi-vector, multi-wave, multi-locality, involve civil and military targets, affect intended and unintended targets, and accompany social media operations. Whilst governments are aware of this threat, Austin argues that we are insufficiently prepared to meet “such complex, multifaceted onslaughts on a rolling basis over protracted periods.”
The report uses the word ‘blitzkrieg’ to highlight the fact that cyber capabilities are, alongside EW, the only weapons that can be delivered almost instantly “at all levels of command” and onto civil targets such as power stations and dams. This necessitates the need for cyber civil defence alongside traditional civil defence tasks including evacuations, shelter and blackout management, decontamination, and others; a need that is, on the whole, unmet.
Austin puts forth a hefty list of gaps in national preparedness for cyber blitzkrieg, including: planning and documentation, private/public planning, decision-making tech, information sharing, situational awareness, communications, legal, education, and many more. The long list of gaps creates a long list of policy recommendations, including the formation of task forces, a Cyber Civil Corps, a National Cyber War College, “at least one” civil defence research centre, elevating resilience spending by up to 1000 per cent, and others.
“It has become quite clear that none of the four main actor sets (government, military, private sector, or universities) can rise to any of the challenges by acting in isolation,” Austin argues. “The problem set almost certainly needs new energy, new vision, and a new paradigm.
“Change will need to be driven through a new institutional centre of gravity that is multi-stakeholder.”
In short, competition in cyberspace is escalating – an observation that will come as no surprise to readers. It is the scale of capabilities, however, on which Austin sheds light. The US has announced the legality of targeting power stations and dams in wartime, presumably by cyber means; Russia has attacked critical infrastructure in Ukraine and elsewhere; and the UK has revealed that it is prepared to black out Moscow by cyber means in a crisis. Other examples not listed in the report include the famous Stuxnet attack on Iranian nuclear infrastructure and the WannaCry ransomware attack that hit Britain’s NHS.
“An increasing number of states now accept that cyber civil defence is not only a necessity, but also that it is achievable,” Austin concludes. “Yet few countries have set in place the mechanisms… let alone provide their citizens, stakeholders and partners with a narrative that can explain the difficulties and complexity of the task.”